It's boxing day, the Christmas holiday on the 25th has just ended. I logged into my online banking portal, glanced at my balance and knew that I would have to postpone my vacation till the end of next year.
Besides realising what little I have, I also noticed that I was not asked for my One Time Password (OTP). It seems that there was a change to the authentication process.
Two things were apparent from my first encounter:
I was brought straight in after entering my credentials. No OTP needed.
The numbers in the bank account were blocked off, leaving only a few digits visible.
Nonetheless, I was still able to verify the balance on my account.
Being paranoid, I re-entered with another terminal. The process was similar but if I wanted to view past transactions or make a payment I would still need to supply my OTP.
In short, this “limited view” that does not require an OTP, allows me to only verify my account balance. Any further, I would require my authentication token.
I understand that removing the mandatory OTP authentication for each login can significantly reduce the overall bandwidth and computing resources required for online banking services. Especially if most users only want to be ensured that their money is still there.
Reflecting on this encounter, I cannot help but to think that a trade-off has been made as a form of risk management.
With this new process:
Are we compromising our security for performance and convenience?
If so, do you think it is a good trade off?
While I am not stating that this new process is good or bad, I would like to hear your thoughts and views.
Update: Only customers with the new banking token will experience this change in login process as confirmed by Edgis community member - Xu Dong.